Skip to content

S0183 Tor

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes “Onion Routing,” in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. 1

Item Value
ID S0183
Associated Names
Type TOOL
Version 1.4
Created 16 January 2018
Last Modified 29 September 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Tor encapsulates traffic in multiple layers of encryption, using TLS by default.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.1

Groups That Use This Software

ID Name References
G1032 INC Ransom 687
G1015 Scattered Spider Scattered Spider has used Tor to communicate with targeted organizations.9
G0007 APT28 10
G0016 APT29 11
G1050 Water Galura Water Galura maintains a Tor-hosted data leaks site for Qilin ransomware and affiliates.1312
G0065 Leviathan 14

References

  1. Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017. 

  2. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024. 

  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  4. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  5. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025. 

  6. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. 

  7. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. 

  8. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. 

  9. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. 

  10. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  11. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. 

  12. Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025. 

  13. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025. 

  14. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.